Arnie Miles, Georgetown
David Walker, InCommon
Mary Dunker, VA Tech
Benn Oshrin, Spherical Cow Group
Jeff Capehardt, UFL
Ron Thielen, Chicago
Eric Goodman, UCOP
Alternative Means for Two Factor Authentication using Duo Security
On a previous Assurance call, there had been a request for a campus to develop an Alternative Means for Satisfying Assurance Criteria for use of Duo Security Two-Factor Authentication. http://www.incommon.org/duo/
Texas A&M and Penn State have expressed interest, and this will be discussed further during Identity Week, Nov. 11-15.
Shib IdP Enhancements Progress
David Walker reported that the Shibboleth IDP Enhancements Project is in acceptance testing now. The enhancements will enable a Shibboleth IdP to support the InCommon Assurance Program's multiple assurance profiles, as well as other authentication contexts that may be defined by IdPOs and their partners. This work could be used to support Multi-Factor Authentication and the work emerging from the Internet2 Scalable Privacy Project. The SP specifies one or more AuthN contexts that it will accept in receiving an identity assertion. The decision of what AUTHN options to present to the user. are based on what the SP requests, and on info about the user (retrieved from the IdM system) regarding what AUTHN contexts that user is certified for (bronze or silver).
It was noted that the CommIT project may also benefit from this Shib Enhancement. Others have solved this problem in a custom way, but this will be a more general tool.
The project status wiki page has a link for downloading the code. The plans is to finish this work by the end of 2013.
There will be some training / marketing / outreach materials so the community will know about the new features.
Assurance Advisory Committee (AAC) Update
Mary Dunker reported on recent activities of the AAC
Several nominations for AAC membership were received during the recent call for nominations period of Sept. 26 – Oct 31, 2013.
This is to fill slots on the AAC for a an SP representative, an IdP representative, and auditor and potentially a member at large.
The open slots are due to current members' terms expiring. The plan is to ask each candidate to submit two paragraphs summarizing their interest, background, ability to make the necessary time commitment and their institution's support of the required time commitment. The AAC hopes to have a recommendation to Steering in December regarding new AAC members .
Updated AD Assurance Cookbook
AAC has also been providing guidance around interpretation of the Assurance spec to the group working on the updated version of the AD Assurance Cookbook. Several members of the AAC a good call with the AD Assurance group recently, and the questions and issues have been resolved from the AAC's perspective. The AD Assurance group has done an excellent job in updating the Cookbook. The whole community will benefit.
Cloud Security Alliance Cloud Controls Matrix
The Cloud Security Alliance is producing a Cloud controls matrix and including some information relative to higher ed. The InCommon TAC and the AAC are looking at where we can provide input around federated authentication and IdM. One goal is to ensure that Net+ services have appropriate security features and can be easily integrated into a federated environment.
On the TAC webinar of October 10, 2013, a poll was conducted about current status relative to MFA. Mary is interested in who in
this group is implementing MFA. Looking at how that fits in with the Assurance profiles
Arnie: Georgetown is looking at a new IDM system and whether and how to incorporate MFA is a big part of the discussion. It was agreed that the InCommon Assurance profiles can be a helpful tool in developing requirements and processes for a new IDM system.
David noted that campuses looking at MFA may want to participate in the discussions of the MFA Cohortium https://spaces.at.internet2.edu/display/mfacohortium/Home
AD Assurance Cookbook
The AD Assurance Cookbook has been updated in light of the revised spec (1.2). Community feedback period ended Nov. 8.
The conversations with the AAC about how to interpret the spec were helpful. Excellent feedback was received from Joe St. Sauver. Brian Arkills responded to those comments on behalf of the group. One of the challenges of the AD Cookbook is keeping the scope to AD technology specific issues or compliance with the silver profile. Some feedback received pertained to things that are good to do, but not within this defined scope.
A diagram is being developed to clarify some of the descriptions.
Ann noted that it was initially thought that an alternative means would be required for AD and Silver. But the Cookbook has described the fact that an alternative means is not necessarily needed, depending on the architecture of how a site is using AD.
If there are further comments, please send them to the list or send them to Ann and she will forward them.
Reading Bronze to begin in December
Ann reported that over the last several months, a number of individuals have expressed interest in discussing the interpretation of the Bronze (and later Silver) profile specifics.
To help with this request, InCommon is spinning up a Reading of the Bronze Profile over 8 hour-long biweekly sessions. A week before the call, Ann will announce the section to be discussed so that attendees can review the points and come prepared to discuss. If there are issues that need further illumination, the group will ask for guidance from the AAC.